PHP 7.2 Performance & Security

 

On 30 November 2017, the PHP community announced the release of PHP 7.2. More specifically, this is the second feature update to the PHP 7 series. While Drupal 7 does not include support for PHP 7.2 it does support PHP 7.1 which is 250% faster than PHP 5.6. Intrepid Network has been quietly updating select websites from Drupal 7 to Drupal 8 and we've been updating select Drupal 7 websites from PHP 5.6 to PHP 7.1. Performance tests confirm reporting claims and version 7.1 is indeed much much faster.

As we continue these technology updates in an effort to improve performance of our client's websites we are being dilligent in testing. Not every Drupal 7 website needs to be migrated to Drupal 8 and not every website can be built on Drupal 8. Migrations and updates take into account each clients unique budget and measures their ROI. We don't sell it unless you need it or demand it. That all being said Drupal 8 which is incredibly faster than Drupal 7. And, Drupal 8 supports PHP 7.2. We provide each option and depending on your specific needs we have your solution.

PHP version Drupal 7
5.5 yes
5.6 yes
7.0 yes (see note 2 below)
7.1 yes (see note 3 below)
7.2 no (see note 4 below)
PHP version Supported Version Recommended?
5.5 5.5.9+  No
5.6 Yes  No
7.0 Yes  No
7.1 Yes  Yes
7.2 Yes as of Drupal 8.5.0*  Yes

 

Building on the achievements of PHP 7

PHP7PHP 7 was released at the end of 2015 and marked a new era for the programming language and the associated community, which have gone through some major changes over the last few years.

PHP is a very accessible language, which is sometimes discredited by language purists in the development world. The reality, however, is that more than 83% of all websites on the Internet are written in PHP. And popular frameworks such as WordPress, Drupal and Magento only contribute to the success of the PHP ecosystem.

Major investments have been made to significantly improve the performance of PHP 7. Great efforts have also been made for a better type hinting, and many old extensions are no longer supported.

The release timeline shows that feature updates are released on a yearly basis. So, this year, after the release of PHP 7.1 in 2016, we got PHP 7.2 as an early Christmas gift.

Kalender PHP 7.2 release



PHP 7.2 is essentially a security feature release

Except for some minor improvements to the language itself, one observes that most new features are security related.

Argon2 Password Hashing

Until recently, bcrypt was the best choice to hash passwords in PHP. With the release of PHP 7.2, developers now have the opportunity to use Argon2, an alternative password hashing algorithm.

Argon2 came first in the Password Hashing Competition and is considered more secure than bcrypt thanks to the fact that, in addition to a “time cost”, there is also a “memory cost”.

This means that the algorithm will make it harder for hackers to crack passwords using brute force attacks. The “time cost” is usually avoided by unleashing powerful GPU-based computing power on the password.

The extra “memory cost” ensures that these machines suddenly require a proportional amount of RAM to be able to guess the password with a brute force attack.

Another benefit of Argon2 is that it also allows you to define the number of parallel threads used to calculate the complexity of the password hashing algorithm.

Mcrypt is gone

Mcrypt is a popular PHP cryptography extension. Unfortunately, the mcrypt library on which this extension depends has not been updated since 2007.

The library has several bugs and patches that have not been fixed for quite a long time. In PHP 7.1, this extension was already deprecated. In 7.2, mcrypt was removed from the PHP core and moved to the Pecl repository.

Instead of Mcrypt, developers can now use OpenSSL and the new Sodium extension.

Sodium as a competitor to OpenSSL

Libsodium in PHP 7.2OpenSSL is the most popular cryptography library, but it has both pros and cons. In the spirit of healthy competition, PHP 7.2 provides an alternative cryptography library: Sodium.

A libsodium implementation has long been available in PHP, via Pecl. Promoting this extension required a namespace change to conform to the PHP coding standards: in PECL, the “\Sodium” namespace was used to call associated features.

In PHP 7.2, these features will be included in the root namespace and re-prefixed “sodium”.

The improvement of TLS version constants

Until recently, “ssl” was the standard stream wrapper when an encrypted connection was established from PHP. The developers of PHP 7.2 decided to make “tls” default and “ssl” an alias.

They also decided to be more rigorous about supported TLS versions. Clients with only TLS 1.0 enabled will no longer be supported.

In the past, an attempt had already been made for this, but back then, the decision was postponed to maintain compatibility with PHP 5.6. The fact that PHP 7.2 is part of a new “major release” allows for such a “backwards compatibility break”.

Language-related features

The language-related features are not particularly remarkable and are mainly corrections of previous errors:

The only noteworthy language feature in PHP 7.2 is the availability of the “object typehint”, which allows to accept and return generic objects in functions and methods. This way, it is no longer necessary to use specific class names.